Interactive Application Security Testing (IAST) with AcuSensor

Interactive Application Security Testing (IAST), also referred to as gray-box testing, is a testing methodology that combines techniques from black-box security testing and white-box security testing.

The combination of dynamic and static vulnerability assessment techniques brings improved coverage and quality to vulnerability test results. IAST typically works by embedding instrumentation code within a running application which allows a dynamic scanner to inspect the application while it is being scanned.

The Interactive Application Security Testing (IAST) scan complements a regular dynamic scan (DAST) scan with additional tests, coverage and context based on how the application reacts during a scan. This information is made available to the scanner thanks to an agent that is installed and enabled on the server-side when a scan is in progress.

Acunetix AcuSensor™ is an IAST offering by Acunetix for PHP, ASP.NET and Java web applications. AcuSensor™ is included by default with Acunetix and works by installing a lightweight sensor on the server where the application is running.

The following are a number of key benefits to using AcuSensor™ within automated security scans.

False Positive Reduction and Verification

Since AcuSensor™ has back-end application visibility while a scan is running, it provides Acunetix with additional information and context throughout the scan. This makes an AcuSensor™ scan even more accurate and further reduces an already low false positive and false negative rate.

Aside from being able to detect a vaster range of SQL injection vulnerabilities (including those in SQL INSERT statements), AcuSensor™ can verify the existence of following high-severity vulnerabilities with 100% accuracy by running additional tests and observing application behaviour at the backend.

Line-of-Code Visibility

AcuSensor™ can identify vulnerabilities down to specific lines of code (for PHP applications), or provide detailed stack traces (for ASP.NET and Java applications). Furthermore, for discovered SQL Injection vulnerabilities, AcuSensor™ also provides a preview of SQL queries as they would have been run by the database.

This means that identified vulnerabilities are much faster to remediate since security and development teams are pointed to the source of the problem immediately instead of wasting time tracking down a vulnerability source.

Backend Crawling

Crawling is one of the most essential phases in any dynamic scan since it is the process used to discover what the scanner should test. While the Acunetix DeepScan crawler already does a lot to discover hard-to-find pages heuristically there could still be a chance that some complexly-named files and directories are not picked up.

Since AcuSensor™ has access to the back-end of the application it can request a directory listing and supply it back to the scanner for further analysis. AcuSensor™even goes further by discovering hidden GET and POST inputs and presenting them to Acunetix for testing, making crawling much more thorough and ensuring full coverage.

No Modification to Existing Applications

Since AcuSensor™ is designed to work on running applications, it does not need to be compiled-in, and can even work with signed code (signed JAR files in Java and strong-named assemblies in ASP.NET applications). This is a major advantage over IAST offerings that require you to compile sensors within your code, often requiring you to change your build process or add software dependencies to your project.

Interactive Application Security Testing (IAST) brings advantages of both black-box and white-box security testing together to deliver the best features that each testing methodology has to offer. With AcuSensor™ built into Acunetix and support for PHP, ASP.NET and Java it’s easier than ever to take your automated application security programme to the next level and get started with IAST.